Page 1 of 1
basic table lookup question
Posted: Thu Jan 24, 2008 5:51 pm
by mc3
I can't figure out what I'm doing wrong here. I've got a form where the user enters their username and password. I'm trying to verify that the password associated with the username matches what the user entered.
But there seems to be something wrong in my code because no matter what the user enters for password, the results of [if ($checkpasswordresult != $pw)] always occur.
Any help is appreciated!
Code: Select all
<?php
$con = mysql_connect("**","***","***");
mysql_select_db("mydatabase") or die( "Problems connecting to the database...");
$user = $_POST["user"];
$pw = $_POST["pw"];
$email = $_POST["email"];
//check username
$checkusername = mysql_query("SELECT user FROM mydatabase WHERE user = '$user'");
$numuserrows=mysql_num_rows($checkusername);
if ($numuserrows==0)
{
echo "Sorry, we can't find that username. Be sure you typed it correctly.";
die;
}
//check password
$checkpassword = mysql_query("SELECT pw FROM mydatabase WHERE user = '$user'");
$checkpasswordresult = mysql_fetch_object($checkpassword);
if ($checkpasswordresult != $pw)
{
echo "Password wrong.";
die;
}
scottayy| Please use tags when posting php code in the forums.[/color]
Re: basic table lookup question
Posted: Thu Jan 24, 2008 6:57 pm
by thinsoldier
If someone's trying to guess usernames/passwords you don't want to give them hints by confirming a username is correct while the password is wrong. Either they get them both right or they don't get anything but a generic error message ("Username or Password incorrect")
Code: Select all
// .... connect to database
$user = mysql_real_escape_string($_POST["user"]);
$pw = mysql_real_escape_string($_POST["pw"]);
$email = mysql_real_escape_string($_POST["email"]);
$result = mysql_query("SELECT user, pw FROM mydatabase WHERE user = '$user' AND pw='$pw' LIMIT 1");
if(mysql_num_rows($result) != 1){die;}
//.... or something along those lines is what I'd do
an alternative to lines 4-6:
foreach($_POST as $key=>$value)
{ $$key = mysql_real_escape_string($value); }
google for "variable variables in php"
but to actually answer your question:
you need to look inside of the $checkpasswordresult object for the ->pw part of it and compare that to your $pw var.
if($pw == $checkpasswordresult->pw){ thanks for logging in } else {die;}
try doing:
Code: Select all
echo '<pre>'.print_r($checkpasswordresult).'</pre>';
to see everything inside of your object.
This also works with array variables.
Sometimes it's also very useful to use var_dump in place of print_r.
http://php.net/print_r
http://php.net/var_dump
http://php.net/mysql_fetch_object
http://php.net/mysql_fetch_assoc
http://php.net/mysql_fetch_array
Re: basic table lookup question
Posted: Thu Jan 24, 2008 10:00 pm
by califdon
mc3 wrote:Code: Select all
. . .
//check username
$checkusername = mysql_query("SELECT user FROM mydatabase WHERE user = '$user'");
$numuserrows=mysql_num_rows($checkusername);
. . .
//check password
$checkpassword = mysql_query("SELECT pw FROM mydatabase WHERE user = '$user'");
$checkpasswordresult = mysql_fetch_object($checkpassword);
if ($checkpasswordresult != $pw)
{
echo "Password wrong.";
die;
}
In the case of the username, you only needed to check the number of rows returned, which works. In the case of the password, you have to actually examine the data in a field. Your variable $checkpasswordresult is not a single piece of data, it is a "resource" (pointer) to an object, so it can never be equal to a string.
I would suggest making just one query to the database, using both the username and password in the WHERE clause, then if either of them fail to match, you get zero rows returned, and as thinsoldier said, you can merely advise the user that his attempt to login has failed. If, for some reason, you do need to treat an invalid password differently than an invalid username, you could do something like this, still making just one query:
Code: Select all
$sql="SELECT user, pwd FROM myTable WHERE user='$user'";
$result=mysql_query($sql);
if (mysql_num_rows($result)==0) {
// no user found
} else {
$row=$mysql_fetch_array($result);
$db_user=$row[0];
$db_pwd=$row[1];
// now compare your submitted username and password against these
}
Re: basic table lookup question
Posted: Fri Jan 25, 2008 8:07 am
by mc3
Great advice. Thanks!
Re: basic table lookup question
Posted: Fri Jan 25, 2008 9:47 am
by pickle
Please, please,
please do some basic encryption/hashing of the password. Even running it through
md5() is better than storing it in plaintext.